Recent healthcare breaches—and subsequent lawsuits—at the hands of online tracking software have motivated the Office for Civil Rights (OCR) to publish a cautionary bulletin for covered entities and business associates. The notice emphasizes the dangers and potential HIPAA compliance violations when using online tracking applications and reiterates the healthcare industry’s responsibility to patient privacy and protection.
What Are Online Tracking Applications?
The bulletin states that “tracking technologies are used to collect and analyze information about how users interact with regulated entities’ websites or mobile applications (“apps”).
These tracking tools take form as cookies, scripts, web beacons, code, or pixels to track certain user behaviors. The data is often used for marketing and product insights. However, some of the more sensitive data they gather can be: a device’s operating system, name, IP address, network or geographical location, or ID. They can also purloin users’ names, addresses, phone numbers, and—in the case of a recent healthcare-related breach—medical conditions, doctor’s names, appointment times, dates, and other sensitive information.
The Pixel Breach That Broke the News
Several healthcare systems and Meta (Facebook’s parent company) came under fire after Meta’s pixel tracking software compromised millions of patients’ PHI. One entity, WakeMed Health and Hospitals, along with Meta, incurred a lawsuit over the exposure.
According to reports, the healthcare organizations involved used Meta Pixel tracking software on their websites or patient portals. Rather than filtering out sensitive patient data as the software is supposed to do, it allowed the information to slide onto the Meta server and possibly to other media outlets. In WakeMed’s notification to patients, they stated that “the pixel’s software code may have also transmitted some of the information entered into the MyChart patient portal and appointment scheduling page back to Facebook.”
An independent investigation suggested that approximately 33 percent of major U.S. healthcare providers directly violated HIPAA when they unwittingly shared PHI with Meta.
How Does HIPAA Apply to Tracking Technologies?
Though HIPAA doesn’t govern third-party health apps that consumers choose for personal use, it does regulate those directly associated with healthcare entities. The HIPAA rules apply to protected health information (PHI) that has been gathered through tracking apps associated with covered entities or has been shared with tracking vendors.
The OCR alert warns that regulated entities aren’t permitted to use these tracking technologies “in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.” The bulletin clearly states that entities that disclose health data to tracking vendors without securing related patient authorizations violate HIPAA.
Melanie Fontes Rainer, OCR Director, stated that “providers, health plans, and HIPAA-regulated entities, including technology platforms, must follow the law. This means considering the risks to patients’ health information when using tracking technologies.”
Of course, when tracking software companies claim to filter PHI and other sensitive data properly, it can be difficult for covered entities to know they’re compromising sensitive patient information. The utmost due diligence must be conducted with tracking technologies.
OCR’s Suggestions for Covered Entities Using Tracking Tech
The OCR’s bulletin listed several suggestions to help covered entities protect patient data and comply with HIPAA when using tracking software:
- Identify Website PHI
Regulated entities should review data that they collect on their website and ensure that PHI is not present.
- Secure Business Associate Agreements
If a vendor qualifies as a business associate under HIPAA, the covered entity should enter into a HIPAA-compliant business associate agreement (BAA). The agreement must declare the vendor’s PHI permitted uses and disclosures.
- Determine if Patient Authorization Is Required
If a BAA is not present, regulated entities should determine whether they must obtain patients’ HIPAA-compliant authorizations before sharing PHI to a tracking vendor. Website alerts that allow users to accept or reject a site's cookies are not a valid form of HIPAA authorization. The tracking vendor cannot agree to de-identify PHI before the information is saved, as this is also insufficient.
The WakeMed lawsuit summed covered entities’ responsibilities well, stating: “Healthcare providers that collect and store private information have statutory, regulatory, contractual, and common law duties to safeguard that information and ensure it remains private and safe from disclosure to unauthorized parties.” Covered entities are the guardians of patient data. They must place its protection among their highest priorities as technology evolves and expands information distribution and harvesting.